[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Mixing heimdal and MIT clients.

To: heimdal-discuss@sics.se
Subject: Mixing heimdal and MIT clients.
From: "Timothy J. Miller" <tmiller@mitre.org>
Date: Mon, 14 Jan 2008 14:49:22 -0600
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Reply-To: heimdal-discuss@sics.se, "Timothy J. Miller" <tmiller@mitre.org>

Q for the list:

If I'm using heimdal to obtain the TGT, should another client linked  
against MIT be able to read the ccache and fetch a service ticket?  I  
ask because from what I've read I think it should, but for the life  
of me I can't get it to work.

Scenario:  logins with pam_krb5 (linked against heimdal-1.0.1) and an  
AD KDC.  Clients (Firefox and smbclient, frex) linked against MIT 1.6.

I can work around Firefox by setting network.negotiate-auth.gsslib to  
heimdal's libgssapi, after which integrated auth works just fine in  
Firefox.  But fixing smbclient this way would mean forking a  
distribution package, linking against heimdal, and pinning it--*or*  
mucking about with symlinks--neither of which I'd like to do.

I've traced smbclient and I can see it opening the ccache correctly,  
but it fails to note the TGT I have.  The specific error in both the  
Firefox and smbclient is KRB5_NO_TKT_IN_RLM:

(After a pam_krb5 login)
user@xubuntu:~$ klist
Credentials cache: FILE:/tmp/krb5cc_10020
         Principal: user@TEST.DOMAIN.LOCAL

   Issued           Expires          Principal
Jan 14 14:13:26  Jan 14 20:53:26  krbtgt/ 
TEST.DOMAIN.LOCAL@TEST.DOMAIN.LOCAL

user@xubuntu:~$ smbclient -k //testdc.test.domain.local/xfer
ads_krb5_mk_req: krb5_get_credentials failed for testdc 
$@TEST.DOMAIN.LOCAL (Cannot find ticket for requested realm)
cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot  
find ticket for requested realm
session setup failed: SUCCESS - 0

Clearly I'm wrong about something.  Any help would be appreciated.

-- Tim

smime.p7s

Follow-Ups:
- Re: Mixing heimdal and MIT clients.
  - From: =?UTF-8?Q?M=C3=A5ns_Nilsson?= <mansaxel@kthnoc.net>
- Re: Mixing heimdal and MIT clients.
  - From: Buchan Milne <bgmilne@mandriva.org>

Prev by Date: Re: Windows machine accounts and keytabs
Next by Date: Re: heimdal 1.0.2RC6
Prev by thread: Re: Windows machine accounts and keytabs
Next by thread: Re: Mixing heimdal and MIT clients.
Index(es):
- Date
- Thread